Documentation
¶
Index ¶
- func AssertNormalized(cfg *Config) error
- func ForgeLinkBase(provider, baseURL, projectID, branch string) (string, error)
- func ForgeRawBase(provider, baseURL, projectID, branch string) (string, error)
- func MatchCondition(c Condition) bool
- func MatchConditionWith(c Condition, tag, branch string) bool
- func MatchPatterns(patterns []string, value string) bool
- func MatchPatternsWithPolicy(patterns []string, value string, policyMap map[string]string) bool
- func MigrateToLatest(data []byte) ([]byte, error)
- func Normalize(cfg *Config) error
- func ParseDuration(s string) (time.Duration, error)
- func ParseForgeURL(rawURL string) (provider, baseURL, projectID string, err error)
- func ParseSize(s string) (int64, error)
- func ResolveLinkBase(cfg *Config) (string, error)
- func ResolvePatterns(patterns []string, policyMap map[string]string) []string
- func ResolvePublishOrigin(cfg *Config) (string, error)
- func Validate(cfg *Config) (warnings []string, err error)
- type AgePruneRule
- type BadgeConfig
- type BadgeSpec
- type BadgesConfig
- type BreakingConfig
- type BuildCacheConfig
- type BuildCachePrunePolicy
- type BuildConfig
- type BuilderConfig
- type CacheConfig
- type ClusterConfig
- type CommitConfig
- type CommitPresentation
- type CommitType
- type CompiledPatterns
- type Condition
- type Config
- type ContainerPrunePolicy
- type CrucibleConfig
- type DependencyCIConfig
- type DependencyCommitConfig
- type DependencyCommitPromotion
- type DependencyConfig
- type DependencyHandoff
- type DependencyMRConfig
- type DependencyScopeConfig
- type DetailRule
- type DockerDriftPolicy
- type DockerIaCConfig
- type DockerLifecycleConfig
- type DockerSecretsConfig
- type DockerTargetSelector
- type DockerTargetsConfig
- type DocsCommitConfig
- type DocsConfig
- type DocsGeneratorsConfig
- type ExposureRule
- type ExposureRules
- type ExternalCacheConfig
- type ExternalRetention
- type FilterConfig
- type GitOpsConfig
- type GlossaryConfig
- type GlossaryType
- type GovernanceCluster
- type GovernanceClusterGroup
- type GovernanceClusterTargets
- type GovernanceConfig
- type HostCleanupConfig
- type ImageProtection
- type ImagePrunePolicy
- type Level
- type LifecycleConfig
- type LintCacheConfig
- type LintConfig
- type LocalCacheConfig
- type LocalRetention
- type ManifestConfig
- type MirrorConfig
- type ModuleConfig
- type NarratorFile
- type NarratorItem
- type NarratorPlacement
- type NetworkPrunePolicy
- type OIDCConfig
- type PhraseRewrite
- type PoliciesConfig
- type PresentationConfig
- type ProtectionPolicy
- type PrunePolicy
- type PublishOrigin
- type RegexRewrite
- type ReleaseConfig
- type ReleasePresentation
- type RenderConfig
- type RetentionPolicy
- type RewriteConfig
- type ScannerCacheConfig
- type ScannersConfig
- type SecurityCacheConfig
- type SecurityConfig
- type SourceConfig
- type SourcesConfig
- type SummaryFilter
- type SyncConfig
- type TagConfig
- type TagDefaults
- type TagMessage
- type TagPresentation
- type TargetCondition
- type TargetConfig
- type TrailerFilter
- type VolumeProtection
- type WatchRule
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AssertNormalized ¶ added in v0.5.0
AssertNormalized verifies no unresolved {var:} templates remain in the config. Hard failure — not a warning. If this fires, normalization has a bug.
func ForgeLinkBase ¶ added in v0.5.0
ForgeLinkBase constructs a page-link (blob) base URL from forge fields. Used for resolving relative links (e.g., LICENSE → blob URL).
func ForgeRawBase ¶ added in v0.5.0
ForgeRawBase constructs a raw content base URL from forge mirror fields. Handles GitLab subgroup paths (group/subgroup/project) correctly. All inputs are normalized to prevent double-slash artifacts.
func MatchCondition ¶
MatchCondition evaluates a Condition against the current CI environment. Returns true if all present fields match (AND logic). Empty condition = catch-all (always true).
func MatchConditionWith ¶
MatchConditionWith evaluates a Condition against explicit tag/branch values. Use this when you already have the values resolved (e.g., from git detection).
func MatchPatterns ¶
MatchPatterns evaluates a list of patterns against a value (OR logic). Any pattern matching means the value is allowed. Empty list = always allowed (no filter). Supports ! negation — a negated pattern excludes even if others include.
Evaluation: exclude patterns (!) are checked first. If any exclude matches, the value is rejected. Then include patterns are checked — if any matches, the value is allowed. If only exclude patterns exist and none matched, the value is allowed (exclude-only = allowlist by negation).
func MatchPatternsWithPolicy ¶
MatchPatternsWithPolicy resolves policy names and evaluates patterns against a value. Convenience wrapper combining ResolvePatterns + MatchPatterns.
func MigrateToLatest ¶
MigrateToLatest takes raw YAML data and migrates it to the current schema version. Returns the migrated YAML bytes ready for writing.
Migration chain:
version 1 → current (no-op, already latest)
Future schema changes should add migration steps here (e.g., v1→v2). The old pre-version config was an unversioned alpha that never earned a schema number — it is not convertible and is not supported by this migration path.
func Normalize ¶ added in v0.5.0
Normalize resolves all {var:...} templates throughout the entire config. Walks every string in the config graph recursively — structs, maps, slices, interfaces. No field enumeration. No partial coverage.
Called once after load+validate, before any consumer reads the config.
func ParseDuration ¶ added in v0.5.0
ParseDuration parses a human duration like "7d", "72h", "30m". Extends time.ParseDuration with "d" (days) support.
func ParseForgeURL ¶ added in v0.5.0
ParseForgeURL detects forge provider from a full repository URL, extracts base URL and project ID. Examples:
"https://github.com/PrPlanIT/StageFreight" → github, "https://github.com", "PrPlanIT/StageFreight" "https://gitlab.prplanit.com/SoFMeRight/dungeon" → gitlab, "https://gitlab.prplanit.com", "SoFMeRight/dungeon"
func ParseSize ¶ added in v0.5.0
ParseSize parses a human size like "15GB", "500MB", "100KB". Uses binary units (1 GB = 1024³ bytes).
func ResolveLinkBase ¶ added in v0.5.0
ResolveLinkBase resolves the page-link (blob) base URL from publish_origin. Same resolution path as ResolvePublishOrigin but returns blob URLs instead of raw URLs. Used for resolving relative link paths (e.g., LICENSE → full blob URL).
func ResolvePatterns ¶
ResolvePatterns resolves policy name tokens in a pattern list to their regex values from the policy map. Direct regex patterns pass through unchanged. Negation prefix (!) is preserved.
func ResolvePublishOrigin ¶ added in v0.5.0
ResolvePublishOrigin resolves the serving base URL for rendered artifacts. Hard fails if publish_origin is nil or misconfigured. Config values may contain {var:*} templates — these are resolved using cfg.Vars.
Types ¶
type AgePruneRule ¶ added in v0.5.0
type AgePruneRule struct {
OlderThan string `yaml:"older_than,omitempty"` // e.g. "72h"
}
AgePruneRule is a simple age-based prune rule.
type BadgeConfig ¶ added in v0.5.0
type BadgeConfig struct {
ID string `yaml:"id"` // stable user-defined ID for narrator reference
Text string `yaml:"text"` // left side label
Value string `yaml:"value"` // right side value (templates: {env:*}, {sha}, {base}, etc.)
Color string `yaml:"color"` // hex color or "auto"
Output string `yaml:"output"` // SVG output path (required)
Link string `yaml:"link,omitempty"` // clickable URL
Font string `yaml:"font,omitempty"` // font name override
FontSize int `yaml:"font_size,omitempty"` // font size override
}
BadgeConfig is the user-facing badge definition in .stagefreight.yml. Badge system owns this — narrator references badges by ID via badge_ref.
func (BadgeConfig) ToBadgeSpec ¶ added in v0.5.0
func (b BadgeConfig) ToBadgeSpec() BadgeSpec
ToBadgeSpec converts config to the internal badge engine model.
type BadgeSpec ¶
type BadgeSpec struct {
Label string // left side text (badge name / alt text)
Value string // right side text (supports templates)
Color string // hex color or "auto"
Output string // SVG file output path
Font string // built-in font name override
FontSize float64 // font size override
FontFile string // custom font file override
}
BadgeSpec is the reusable internal badge specification. Consumed by badge engine, CLI ad-hoc mode, release badge, and docker build badge. No YAML tags — this is an internal model, not a config surface.
type BadgesConfig ¶ added in v0.5.0
type BadgesConfig struct {
Items []BadgeConfig `yaml:"items"`
}
BadgesConfig is the top-level badges configuration. Badge system owns definitions; narrator references them via badge_ref. Artifact serving location is declared at sources.publish_origin (cross-cutting).
type BreakingConfig ¶ added in v0.5.0
type BreakingConfig struct {
Aliases []string `yaml:"aliases,omitempty"` // e.g., [b, break, bc]
BangSuffix bool `yaml:"bang_suffix"` // feat! syntax
ForceHighlight bool `yaml:"force_highlight"`
PriorityBoost int `yaml:"priority_boost"`
}
BreakingConfig defines how breaking changes are detected and presented.
type BuildCacheConfig ¶ added in v0.5.0
type BuildCacheConfig struct {
// Mode selects which cache planes are active.
// "": inactive — no cache flags emitted, no cleanup runs.
// off: explicitly disabled.
// local: bounded local buildkit cache only.
// shared: registry-backed external cache only.
// hybrid: both local and external.
Mode string `yaml:"mode,omitempty"`
// Builder configures the buildx builder lifecycle.
// The engine owns creation, bootstrap, and narration — skeleton is transport only.
Builder BuilderConfig `yaml:"builder,omitempty"`
// Local configures the bounded local buildkit cache.
Local LocalCacheConfig `yaml:"local,omitempty"`
// External configures registry-backed shared cache.
External ExternalCacheConfig `yaml:"external,omitempty"`
// Cleanup configures host hygiene — residue pruning, not cache.
// Only executes when Mode is active (not empty, not off).
Cleanup HostCleanupConfig `yaml:"cleanup,omitempty"`
}
BuildCacheConfig defines the three-layer build cache subsystem. Mode selects the active planes. Advanced config underneath only when needed.
func DefaultBuildCacheConfig ¶ added in v0.5.0
func DefaultBuildCacheConfig() BuildCacheConfig
DefaultBuildCacheConfig returns baseline defaults. Mode is empty (inactive) — cleanup and cache only execute when mode is explicitly set. Governance presets should override enforcement and thresholds per runner class.
func (BuildCacheConfig) IsActive ¶ added in v0.5.0
func (c BuildCacheConfig) IsActive() bool
IsActive returns true if any cache mode is enabled.
type BuildCachePrunePolicy ¶ added in v0.5.0
type BuildCachePrunePolicy struct {
OlderThan string `yaml:"older_than,omitempty"` // e.g. "72h"
KeepStorage string `yaml:"keep_storage,omitempty"` // e.g. "20GB"
}
BuildCachePrunePolicy defines build cache pruning rules.
type BuildConfig ¶
type BuildConfig struct {
// ID is the unique identifier for this build, referenced by targets.
ID string `yaml:"id"`
// Kind is the build type. Determines which fields are valid.
// Supported: "docker", "binary".
Kind string `yaml:"kind"`
// SelectTags enables CLI filtering via --select.
SelectTags []string `yaml:"select_tags,omitempty"`
// Required means build failure is a hard pipeline fail. Default: true.
Required *bool `yaml:"required,omitempty"`
// BuildMode controls the build execution strategy.
// Supported: "" (standard), "crucible" (self-proving rebuild).
BuildMode string `yaml:"build_mode,omitempty"`
// DependsOn references another build ID that must complete before this one.
// Enables build ordering: binary builds before docker builds that consume them.
DependsOn string `yaml:"depends_on,omitempty"`
// Dockerfile is the path to the Dockerfile. Default: auto-detect.
Dockerfile string `yaml:"dockerfile,omitempty"`
// Context is the Docker build context path. Default: "." (repo root).
Context string `yaml:"context,omitempty"`
// Target is the --target stage name for multi-stage builds.
Target string `yaml:"target,omitempty"`
// Platforms lists the target platforms. Default: [linux/{current_arch}].
Platforms []string `yaml:"platforms,omitempty"`
// BuildArgs are key-value pairs passed as --build-arg. Supports templates.
BuildArgs map[string]string `yaml:"build_args,omitempty"`
// Cache holds build cache settings.
Cache CacheConfig `yaml:"cache,omitempty"`
// Builder is the toolchain that interprets the build.
// Supported: "go". Future: "rust", "zig", "cargo".
Builder string `yaml:"builder,omitempty"`
// Command is the builder subcommand. e.g., "build" for "go build".
// Default: "build".
Command string `yaml:"command,omitempty"`
// From is the source/input root or entry point.
// e.g., "./src/cli" (Go package), "./src/main.rs" (Rust).
From string `yaml:"from,omitempty"`
// Output is the artifact name. Windows platforms auto-append ".exe".
// Default: basename of From.
Output string `yaml:"output,omitempty"`
// Args are ordered raw arguments passed directly to the selected builder.
// For Go: raw args to "go build". For Rust: raw args to "cargo build".
// Supports template variables: {version}, {sha}, {sha:N}, {date}.
Args []string `yaml:"args,omitempty"`
// Env are build environment variables. e.g., {"CGO_ENABLED": "0"}
Env map[string]string `yaml:"env,omitempty"`
// Compress enables UPX compression on the output binary. Default: false.
Compress bool `yaml:"compress,omitempty"`
// Crucible holds crucible-specific configuration for binary builds.
Crucible *CrucibleConfig `yaml:"crucible,omitempty"`
}
BuildConfig defines a named build artifact. Each build has a unique ID (referenced by targets) and a kind that determines which fields are valid.
This is a discriminated union keyed by Kind — only fields relevant to the kind should be set. Validated at load time by v2 validation.
func (BuildConfig) BuilderCommand ¶ added in v0.4.0
func (b BuildConfig) BuilderCommand() string
BuilderCommand returns the builder command, defaulting to "build".
func (BuildConfig) IsRequired ¶ added in v0.5.0
func (b BuildConfig) IsRequired() bool
IsRequired returns whether build failure is a hard pipeline fail. Default: true.
func (BuildConfig) OutputName ¶ added in v0.4.0
func (b BuildConfig) OutputName() string
OutputName returns the output artifact name, defaulting to basename of From.
type BuilderConfig ¶ added in v0.5.0
type BuilderConfig struct {
// Backend pins the build backend. Default: "" (auto-detect).
// "buildkitd" → prefer persistent buildkitd, fail if unavailable.
// "dind" → use DinD only, ignore buildkitd even if available.
// "" → auto-detect: prefer buildkitd if available, fall back to DinD.
Backend string `yaml:"backend,omitempty"`
// Name is the buildx builder name. Default: "sf-builder".
Name string `yaml:"name,omitempty"`
// Driver is the buildx driver. Default: "docker-container".
Driver string `yaml:"driver,omitempty"`
// Context is the Docker context name for the builder endpoint. Default: "sf-context".
Context string `yaml:"context,omitempty"`
}
BuilderConfig declares the buildx builder identity. The engine creates/bootstraps/narrates — this is just the declaration.
func (BuilderConfig) BuilderDriver ¶ added in v0.5.0
func (b BuilderConfig) BuilderDriver() string
BuilderDriver returns the driver, defaulting to "docker-container".
func (BuilderConfig) BuilderName ¶ added in v0.5.0
func (b BuilderConfig) BuilderName() string
BuilderName returns the builder name, defaulting to "sf-builder".
func (BuilderConfig) ContextName ¶ added in v0.5.0
func (b BuilderConfig) ContextName() string
ContextName returns the Docker context name, defaulting to "sf-context".
type CacheConfig ¶
CacheConfig holds build cache settings.
type ClusterConfig ¶ added in v0.5.0
type ClusterConfig struct {
Name string `yaml:"name"`
Server string `yaml:"server"`
Exposure ExposureRules `yaml:"exposure"`
}
ClusterConfig identifies a Kubernetes cluster and how to connect to it. CA trust is resolved from environment variables at runtime:
- <NAME>_CA_FILE: path to CA certificate file
- <NAME>_CA_B64: base64-encoded CA certificate PEM
Name is uppercased with hyphens replaced by underscores for the env prefix.
type CommitConfig ¶
type CommitConfig struct {
DefaultType string `yaml:"default_type,omitempty"`
DefaultScope string `yaml:"default_scope,omitempty"`
SkipCI bool `yaml:"skip_ci,omitempty"`
Push bool `yaml:"push,omitempty"`
Conventional bool `yaml:"conventional"`
Backend string `yaml:"backend,omitempty"`
Types []CommitType `yaml:"types,omitempty"`
}
CommitConfig holds configuration for the commit subsystem.
func DefaultCommitConfig ¶
func DefaultCommitConfig() CommitConfig
DefaultCommitConfig returns sensible defaults for commit configuration.
type CommitPresentation ¶ added in v0.5.0
type CommitPresentation struct {
PreserveRawSubject bool `yaml:"preserve_raw_subject"`
EnforceConventional bool `yaml:"enforce_conventional"`
}
CommitPresentation controls commit authoring behavior. Authoring-oriented: alias expansion and validation, NOT release-style uplift.
type CommitType ¶
type CommitType struct {
Key string `yaml:"key"`
Label string `yaml:"label"`
AliasFor string `yaml:"alias_for,omitempty"`
ForceBang bool `yaml:"force_bang,omitempty"`
}
CommitType defines a recognized commit type for conventional commits.
type CompiledPatterns ¶
CompiledPatterns holds pre-compiled include and exclude regex patterns. Avoids repeated regex compilation during planning and matching.
func CompilePatterns ¶
func CompilePatterns(patterns []string, policyMap map[string]string) (*CompiledPatterns, error)
CompilePatterns resolves pattern tokens against a policy map and compiles them into include/exclude regex groups. Discards warnings.
func CompilePatternsWithWarnings ¶
func CompilePatternsWithWarnings(patterns []string, policyMap map[string]string) (*CompiledPatterns, []string, error)
CompilePatternsWithWarnings resolves pattern tokens against a policy map, compiles them into include/exclude regex groups, and returns any warnings (e.g., typo detection for unknown policy names).
func (*CompiledPatterns) Match ¶
func (cp *CompiledPatterns) Match(value string) bool
Match evaluates the compiled patterns against a value. Exclude-first semantics: if any exclude matches, rejected. Empty include list with no excludes = pass (no constraints). Empty include list with only excludes = everything not excluded passes.
type Condition ¶
type Condition struct {
// Tag is a pattern matched against the git tag (CI_COMMIT_TAG).
// Only evaluated when a tag is present. Prefix with ! to negate.
Tag string `yaml:"tag,omitempty"`
// Branch is a pattern matched against the git branch (CI_COMMIT_BRANCH).
// Prefix with ! to negate.
Branch string `yaml:"branch,omitempty"`
}
Condition is the universal conditional rule primitive used across StageFreight. Every feature that has tag/branch-sensitive behavior uses this same structure.
Pattern syntax (applies to Tag, Branch, and any future filter fields):
"^main$" — regex match (default) "!^feature/.*" — negated regex (! prefix) "main" — literal match (no regex metacharacters) "!develop" — negated literal
Matching logic:
- Tag: tested against CI_COMMIT_TAG / git tag. Only evaluated when a tag is present.
- Branch: tested against CI_COMMIT_BRANCH / git branch.
- Multiple fields set: AND — all present fields must match.
- No fields set: catch-all (always matches).
Rules are always evaluated top-down, first match wins. CLI overrides take precedence.
type Config ¶
type Config struct {
// Version must be 1. The pre-version config was an unversioned alpha
// that never earned a schema number — this is the first stable schema.
Version int `yaml:"version"`
// Vars is a user-defined template variable dictionary.
// Referenced as {var:name} anywhere templates are resolved.
Vars map[string]string `yaml:"vars,omitempty"`
// Defaults is inert YAML anchor storage. StageFreight ignores this
// section entirely — it exists for users to define &anchors.
Defaults yaml.Node `yaml:"defaults,omitempty"`
// Sources defines build source configuration.
Sources SourcesConfig `yaml:"sources"`
// Policies defines named regex patterns for git tag and branch matching.
Policies PoliciesConfig `yaml:"policies"`
// Builds defines named build artifacts.
Builds []BuildConfig `yaml:"builds"`
// Targets defines distribution targets and side-effects.
Targets []TargetConfig `yaml:"targets"`
// Badges defines badge artifact generation (SVGs).
// Badge system owns definitions; narrator references them via badge_ref.
// Artifact serving location is declared at sources.publish_origin (cross-cutting).
Badges BadgesConfig `yaml:"badges"`
// Narrator defines content composition for file targets.
Narrator []NarratorFile `yaml:"narrator"`
// Lint holds lint-specific configuration (unchanged from v1).
Lint LintConfig `yaml:"lint"`
// Security holds security scanning configuration (unchanged from v1).
Security SecurityConfig `yaml:"security"`
// Commit holds configuration for the commit subsystem.
Commit CommitConfig `yaml:"commit"`
// Dependency holds configuration for the dependency update subsystem.
Dependency DependencyConfig `yaml:"dependency"`
// Docs holds configuration for the docs generation subsystem.
Docs DocsConfig `yaml:"docs"`
// Manifest holds configuration for the manifest subsystem.
Manifest ManifestConfig `yaml:"manifest"`
// Release holds configuration for the release subsystem.
Release ReleaseConfig `yaml:"release"`
// Lifecycle defines the repository lifecycle mode (image, gitops, governance).
Lifecycle LifecycleConfig `yaml:"lifecycle"`
// Governance defines configuration for the governance lifecycle mode.
// Only valid in the control repo (lifecycle.mode: governance).
Governance GovernanceConfig `yaml:"governance"`
// GitOps defines configuration for the gitops lifecycle mode.
GitOps GitOpsConfig `yaml:"gitops"`
// Docker defines configuration for the docker lifecycle mode.
Docker DockerLifecycleConfig `yaml:"docker"`
// BuildCache defines the build cache subsystem (local, shared, hybrid).
BuildCache BuildCacheConfig `yaml:"build_cache"`
// Glossary defines the repo's shared change-language model.
// Consumed by commit authoring, tag planning, and release rendering.
Glossary GlossaryConfig `yaml:"glossary"`
// Presentation defines surface-specific rendering policies.
Presentation PresentationConfig `yaml:"presentation"`
// Tag holds workflow defaults for the tag planner.
Tag TagConfig `yaml:"tag"`
}
Config is the top-level StageFreight v2 configuration.
type ContainerPrunePolicy ¶ added in v0.5.0
type ContainerPrunePolicy struct {
Exited AgePruneRule `yaml:"exited,omitempty"`
}
ContainerPrunePolicy defines container pruning rules.
type CrucibleConfig ¶ added in v0.4.0
type CrucibleConfig struct {
// ToolchainImage is the pinned container image for pass-2 verification.
// e.g., "docker.io/library/golang:1.24-alpine"
ToolchainImage string `yaml:"toolchain_image,omitempty"`
}
CrucibleConfig holds crucible-specific build configuration.
type DependencyCIConfig ¶
type DependencyCIConfig struct {
Handoff DependencyHandoff `yaml:"handoff"` // default: continue
}
DependencyCIConfig controls CI-level behavior when deps creates a commit.
type DependencyCommitConfig ¶
type DependencyCommitConfig struct {
Enabled bool `yaml:"enabled"`
Type string `yaml:"type"`
Message string `yaml:"message"`
Push bool `yaml:"push"`
SkipCI bool `yaml:"skip_ci"`
Promotion DependencyCommitPromotion `yaml:"promotion"` // "direct" or "mr"
MR DependencyMRConfig `yaml:"mr"`
}
DependencyCommitConfig controls auto-commit behavior for dependency updates.
type DependencyCommitPromotion ¶ added in v0.4.0
type DependencyCommitPromotion string
DependencyCommitPromotion controls how dependency commits reach the target branch.
const ( PromotionDirect DependencyCommitPromotion = "direct" // push to current branch (existing behavior) PromotionMR DependencyCommitPromotion = "mr" // push to unique bot branch, open merge request )
type DependencyConfig ¶
type DependencyConfig struct {
Enabled bool `yaml:"enabled"`
Output string `yaml:"output"`
Scope DependencyScopeConfig `yaml:"scope"`
Commit DependencyCommitConfig `yaml:"commit"`
CI DependencyCIConfig `yaml:"ci"`
}
DependencyConfig holds configuration for the dependency update subsystem.
func DefaultDependencyConfig ¶
func DefaultDependencyConfig() DependencyConfig
DefaultDependencyConfig returns sensible defaults for dependency management.
type DependencyHandoff ¶
type DependencyHandoff string
DependencyHandoff controls what happens when dependency repair creates a new commit.
- "continue" — advisory only, current pipeline continues regardless
- "restart_pipeline" — request pipeline rerun on repaired revision; downstream shipping stops
- "fail" — fail hard if repair was needed but couldn't be handed off
const ( HandoffContinue DependencyHandoff = "continue" HandoffRestartPipeline DependencyHandoff = "restart_pipeline" HandoffFail DependencyHandoff = "fail" )
type DependencyMRConfig ¶ added in v0.4.0
type DependencyMRConfig struct {
BranchPrefix string `yaml:"branch_prefix"` // default: "stagefreight/deps"
TargetBranch string `yaml:"target_branch"` // default: "" (CI default branch)
}
DependencyMRConfig controls merge request creation for promotion: mr.
type DependencyScopeConfig ¶
type DependencyScopeConfig struct {
GoModules bool `yaml:"go_modules"`
DockerfileEnv bool `yaml:"dockerfile_env"` // umbrella for docker-image + github-release
}
DependencyScopeConfig controls which dependency ecosystems are managed.
func (DependencyScopeConfig) ScopeToEcosystems ¶
func (s DependencyScopeConfig) ScopeToEcosystems() []string
ScopeToEcosystems converts scope booleans to ecosystem filter strings compatible with dependency.UpdateConfig.Ecosystems. Returns nil (all ecosystems) if all scopes are enabled.
type DetailRule ¶
type DetailRule struct {
Condition `yaml:",inline"`
// Detail is the detail level to use when this rule matches.
// Values: "none", "counts", "detailed", "full".
Detail string `yaml:"detail"`
}
DetailRule is a conditional override for security detail level in release notes. Embeds Condition for standard tag/branch pattern matching.
type DockerDriftPolicy ¶ added in v0.5.0
type DockerDriftPolicy struct {
Tier2Action string `yaml:"tier2_action"` // report | reconcile (default: report)
OrphanAction string `yaml:"orphan_action"` // report | down | prune (default: report)
OrphanThreshold int `yaml:"orphan_threshold"` // block if more than N orphans (default: 5)
PruneRequiresConfirmation bool `yaml:"prune_requires_confirmation"` // require --force for prune (default: true)
}
DockerDriftPolicy configures drift detection behavior.
type DockerIaCConfig ¶ added in v0.5.0
type DockerIaCConfig struct {
// Path is the IaC directory relative to repo root (default: "docker-compose").
Path string `yaml:"path"`
}
DockerIaCConfig defines the IaC directory layout.
type DockerLifecycleConfig ¶ added in v0.5.0
type DockerLifecycleConfig struct {
// Backend selects the Docker execution engine (e.g. "compose").
Backend string `yaml:"backend"`
// Targets defines how reconciliation targets are resolved.
Targets DockerTargetsConfig `yaml:"targets"`
// IaC defines the Infrastructure as Code directory layout.
IaC DockerIaCConfig `yaml:"iac"`
// Secrets defines the secrets decryption provider.
Secrets DockerSecretsConfig `yaml:"secrets"`
// Drift defines drift detection and reconciliation policy.
Drift DockerDriftPolicy `yaml:"drift"`
}
DockerLifecycleConfig defines configuration for the docker lifecycle mode. This is Docker lifecycle orchestration, not docker-compose wrapping.
func DefaultDockerLifecycleConfig ¶ added in v0.5.0
func DefaultDockerLifecycleConfig() DockerLifecycleConfig
DefaultDockerLifecycleConfig returns sensible defaults.
type DockerSecretsConfig ¶ added in v0.5.0
type DockerSecretsConfig struct {
// Provider selects the secrets backend (e.g. "sops", "vault", "infisical").
Provider string `yaml:"provider"`
}
DockerSecretsConfig defines the secrets provider.
type DockerTargetSelector ¶ added in v0.5.0
type DockerTargetSelector struct {
Groups []string `yaml:"groups"`
}
DockerTargetSelector declares eligibility via existing inventory groups. Group-based initially. Richer selectors deferred until groups become insufficient.
type DockerTargetsConfig ¶ added in v0.5.0
type DockerTargetsConfig struct {
// Source is the inventory adapter (e.g. "ansible").
Source string `yaml:"source"`
// Inventory is the path to the inventory file (relative to repo root).
Inventory string `yaml:"inventory"`
// Selector declares which hosts from inventory are eligible.
Selector DockerTargetSelector `yaml:"selector"`
}
DockerTargetsConfig defines target resolution for Docker reconciliation.
type DocsCommitConfig ¶
type DocsCommitConfig struct {
Enabled bool `yaml:"enabled"`
Type string `yaml:"type"`
Message string `yaml:"message"`
Add []string `yaml:"add"`
Push bool `yaml:"push"`
SkipCI bool `yaml:"skip_ci"`
}
DocsCommitConfig controls auto-commit behavior for generated docs.
type DocsConfig ¶
type DocsConfig struct {
Enabled bool `yaml:"enabled"`
Generators DocsGeneratorsConfig `yaml:"generators"`
Commit DocsCommitConfig `yaml:"commit"`
}
DocsConfig holds configuration for the docs generation subsystem.
func DefaultDocsConfig ¶
func DefaultDocsConfig() DocsConfig
DefaultDocsConfig returns sensible defaults for docs generation.
type DocsGeneratorsConfig ¶
type DocsGeneratorsConfig struct {
Badges bool `yaml:"badges"`
ReferenceDocs bool `yaml:"reference_docs"`
Narrator bool `yaml:"narrator"`
DockerReadme bool `yaml:"docker_readme"`
}
DocsGeneratorsConfig controls which documentation generators are enabled.
type ExposureRule ¶ added in v0.5.0
type ExposureRule struct {
Level string `yaml:"level"` // internet | intranet | cluster
Endpoints []string `yaml:"endpoints"` // ip:port (highest precedence)
Gateways []string `yaml:"gateways"`
CIDRs []string `yaml:"cidrs"`
Ports []int `yaml:"ports"` // AND with CIDRs (empty = any port)
ServiceTypes []string `yaml:"service_types"` // ClusterIP | NodePort | LoadBalancer
}
ExposureRule classifies endpoints into exposure levels. Match fields are AND within a rule (CIDR AND port if both specified).
type ExposureRules ¶ added in v0.5.0
type ExposureRules struct {
Rules []ExposureRule `yaml:"rules"`
}
ExposureRules defines rule-based endpoint exposure classification. Rules are evaluated by precedence: endpoint > gateway > CIDR > service type. Conflicting equal-precedence rules → unknown. Never first-match-wins.
type ExternalCacheConfig ¶ added in v0.5.0
type ExternalCacheConfig struct {
// Target references a targets[].id with kind: registry.
Target string `yaml:"target,omitempty"`
// Path is appended to the target URL: <target-url>/<path>/<repo>/<branch>.
Path string `yaml:"path,omitempty"`
// Fallback is the read-only fallback branch ref (e.g. "default", "main").
// Never written to unless current ref equals fallback.
Fallback string `yaml:"fallback,omitempty"`
// Mode is the BuildKit cache mode (e.g. "max", "min"). Default: "max".
Mode string `yaml:"mode,omitempty"`
// Retention defines when stale external cache refs are pruned.
Retention ExternalRetention `yaml:"retention,omitempty"`
}
ExternalCacheConfig defines registry-backed shared cache. References an existing target (kind: registry) by ID — no redeclaring registries.
type ExternalRetention ¶ added in v0.5.0
type ExternalRetention struct {
MaxRefs int `yaml:"max_refs,omitempty"` // max branch cache refs per repo
StaleAge string `yaml:"stale_age,omitempty"` // prune refs for dead/merged branches
}
ExternalRetention defines external cache ref lifecycle.
type FilterConfig ¶ added in v0.5.0
type FilterConfig struct {
Summary SummaryFilter `yaml:"summary"`
Trailers TrailerFilter `yaml:"trailers"`
NormalizeWhitespace bool `yaml:"normalize_whitespace"`
}
FilterConfig defines sanitization rules for change summaries.
type GitOpsConfig ¶ added in v0.5.0
type GitOpsConfig struct {
// Backend selects the GitOps reconciliation backend (e.g. "flux", "argo").
Backend string `yaml:"backend"`
// Cluster defines the target Kubernetes cluster.
Cluster ClusterConfig `yaml:"cluster"`
// OIDC defines authentication configuration for the cluster.
OIDC OIDCConfig `yaml:"oidc"`
}
GitOpsConfig defines configuration for the gitops lifecycle mode.
func DefaultGitOpsConfig ¶ added in v0.5.0
func DefaultGitOpsConfig() GitOpsConfig
DefaultGitOpsConfig returns sensible defaults for gitops configuration.
type GlossaryConfig ¶ added in v0.5.0
type GlossaryConfig struct {
Types map[string]GlossaryType `yaml:"types"`
Breaking BreakingConfig `yaml:"breaking"`
Filters FilterConfig `yaml:"filters"`
Rewrites RewriteConfig `yaml:"rewrites"`
Render RenderConfig `yaml:"render"`
}
GlossaryConfig defines the repo's shared change-language model. Consumed by commit authoring, tag planning, and release rendering.
func DefaultGlossaryConfig ¶ added in v0.5.0
func DefaultGlossaryConfig() GlossaryConfig
DefaultGlossaryConfig returns sensible defaults for the glossary.
type GlossaryType ¶ added in v0.5.0
type GlossaryType struct {
Aliases []string `yaml:"aliases,omitempty"`
CanonicalAs string `yaml:"canonical_as,omitempty"` // normalize to this type (e.g., deps → chore)
Priority int `yaml:"priority"`
ReleaseVisible bool `yaml:"release_visible"`
}
GlossaryType defines a single change type's semantics.
type GovernanceCluster ¶ added in v0.5.0
type GovernanceCluster struct {
ID string `yaml:"id"`
Targets GovernanceClusterTargets `yaml:"targets"`
StageFreight map[string]any `yaml:"stagefreight"`
}
GovernanceCluster assigns lifecycle doctrine to a group of repos.
type GovernanceClusterGroup ¶ added in v0.5.0
type GovernanceClusterGroup struct {
ID string `yaml:"id,omitempty"`
Repos []string `yaml:"repos"`
}
GovernanceClusterGroup is a cohort of repos on the same forge.
type GovernanceClusterTargets ¶ added in v0.5.0
type GovernanceClusterTargets struct {
Repos []string `yaml:"repos,omitempty"`
Groups []GovernanceClusterGroup `yaml:"groups,omitempty"`
}
GovernanceClusterTargets identifies which repos belong to this cluster. Supports flat repos list and/or grouped targets with per-group forge identity.
type GovernanceConfig ¶ added in v0.5.0
type GovernanceConfig struct {
Clusters []GovernanceCluster `yaml:"clusters"`
}
GovernanceConfig declares governance clusters for the control repo. Only valid when lifecycle.mode is "governance". Assets (CI skeletons, settings files, etc.) are declared inside each cluster's stagefreight config as assets: entries — no separate skeleton construct.
type HostCleanupConfig ¶ added in v0.5.0
type HostCleanupConfig struct {
// Enabled controls whether cleanup runs. Independent of cache mode.
Enabled bool `yaml:"enabled,omitempty"`
// Enforcement controls what happens when cleanup cannot execute.
// best_effort: continue + structured warning.
// required: fail build immediately.
Enforcement string `yaml:"enforcement,omitempty"`
// Protect defines what is never pruned.
Protect ProtectionPolicy `yaml:"protect,omitempty"`
// Prune defines what is eligible for removal.
Prune PrunePolicy `yaml:"prune,omitempty"`
}
HostCleanupConfig defines host hygiene — classification-first pruning. Not cache — residue cleanup. Object classes match DD-UI's operation types.
type ImageProtection ¶ added in v0.5.0
type ImageProtection struct {
Refs []string `yaml:"refs,omitempty"` // glob patterns
}
ImageProtection defines which images are protected from pruning.
type ImagePrunePolicy ¶ added in v0.5.0
type ImagePrunePolicy struct {
Dangling AgePruneRule `yaml:"dangling,omitempty"`
Unreferenced AgePruneRule `yaml:"unreferenced,omitempty"`
}
ImagePrunePolicy defines image pruning rules by class.
type LifecycleConfig ¶ added in v0.5.0
type LifecycleConfig struct {
Mode string `yaml:"mode"` // image | gitops | governance
}
LifecycleConfig defines the repository lifecycle mode.
type LintCacheConfig ¶ added in v0.5.0
type LintCacheConfig struct {
MaxAge string `yaml:"max_age,omitempty"` // evict entries not hit in this duration (e.g. "7d")
MaxSize string `yaml:"max_size,omitempty"` // evict oldest entries when cache exceeds this (e.g. "100MB")
}
LintCacheConfig controls lint result cache lifecycle. Content-addressed caches grow monotonically — every file edit creates a new entry. Without eviction, cache grows unbounded.
type LintConfig ¶
type LintConfig struct {
Level Level `yaml:"level"`
CacheDir string `yaml:"cache_dir"`
TargetBranch string `yaml:"target_branch"`
Exclude []string `yaml:"exclude"`
Modules map[string]ModuleConfig `yaml:"modules"`
Cache LintCacheConfig `yaml:"cache,omitempty"`
}
LintConfig holds lint-specific configuration.
func DefaultLintConfig ¶
func DefaultLintConfig() LintConfig
DefaultLintConfig returns production defaults.
type LocalCacheConfig ¶ added in v0.5.0
type LocalCacheConfig struct {
Path string `yaml:"path,omitempty"` // override local cache root (default: /stagefreight/cache/buildkit)
Retention LocalRetention `yaml:"retention,omitempty"`
}
LocalCacheConfig defines bounded local BuildKit cache. Default path: /stagefreight/cache/buildkit (persistent runtime root). Override via Path field for non-standard mounts.
type LocalRetention ¶ added in v0.5.0
type LocalRetention struct {
MaxAge string `yaml:"max_age,omitempty"` // e.g. "7d"
MaxSize string `yaml:"max_size,omitempty"` // e.g. "15GB"
}
LocalRetention defines what local cache is allowed to exist.
type ManifestConfig ¶ added in v0.3.2
type ManifestConfig struct {
// Enabled controls whether manifest generation is active (default: false).
Enabled bool `yaml:"enabled"`
// Mode controls where the manifest is stored.
// ephemeral: temp location, use during run, discard after.
// workspace: generate to .stagefreight/manifests/, don't auto-commit.
// commit: generate and include in docs commit.
// publish: generate and export as release asset / CI artifact.
Mode string `yaml:"mode,omitempty"`
// OutputDir is the output directory for manifest files.
// Default: .stagefreight/manifests
OutputDir string `yaml:"output_dir,omitempty"`
}
ManifestConfig holds configuration for the manifest subsystem.
func DefaultManifestConfig ¶ added in v0.3.2
func DefaultManifestConfig() ManifestConfig
DefaultManifestConfig returns sensible defaults for manifest generation.
type MirrorConfig ¶ added in v0.4.1
type MirrorConfig struct {
ID string `yaml:"id"` // unique identifier (e.g., "github")
Provider string `yaml:"provider"` // forge provider: github, gitlab, gitea
URL string `yaml:"url"` // forge base URL (e.g., "https://github.com")
ProjectID string `yaml:"project_id"` // owner/repo or numeric ID on the mirror forge
Credentials string `yaml:"credentials"` // env var prefix for token resolution
Sync SyncConfig `yaml:"sync"` // which domains to synchronize
}
MirrorConfig declares a downstream forge replica that receives projections from the primary. A mirror is strict — it never originates state. Directionality is enforced: source → mirror only.
func FindMirrorByID ¶ added in v0.5.0
func FindMirrorByID(mirrors []MirrorConfig, id string) *MirrorConfig
FindMirrorByID returns the mirror with the given ID, or nil.
type ModuleConfig ¶
type ModuleConfig struct {
Enabled *bool `yaml:"enabled,omitempty"`
Exclude []string `yaml:"exclude,omitempty"`
Options map[string]any `yaml:"options,omitempty"`
}
ModuleConfig holds per-module overrides.
type NarratorFile ¶
type NarratorFile struct {
// File is the path to the target file (required).
File string `yaml:"file"`
// LinkBase is the base URL for relative link rewriting.
LinkBase string `yaml:"link_base,omitempty"`
// Items are the composable content items for this file.
Items []NarratorItem `yaml:"items"`
}
NarratorFile defines narrator composition for a single file target. v2 flattens the old files[] > sections[] > items[] hierarchy into a 2-level structure: file targets with self-describing items.
type NarratorItem ¶
type NarratorItem struct {
// ID is the item identifier (unique within file).
ID string `yaml:"id"`
// Kind is the item type: badge, shield, text, component, break, include.
Kind string `yaml:"kind"`
// Placement declares where this item goes in the target file.
Placement NarratorPlacement `yaml:"placement"`
// Text is the badge label (left side text).
Text string `yaml:"text,omitempty"`
// Value is the badge value (right side text, supports templates).
Value string `yaml:"value,omitempty"`
// Color is the badge color (hex or "auto").
Color string `yaml:"color,omitempty"`
// Font is the badge font name override.
Font string `yaml:"font,omitempty"`
// FontSize is the badge font size override.
FontSize int `yaml:"font_size,omitempty"`
// Output is the SVG output path for badge generation.
Output string `yaml:"output,omitempty"`
// Link is the clickable URL (kind: badge, shield).
Link string `yaml:"link,omitempty"`
// Shield is the shields.io path (kind: shield).
Shield string `yaml:"shield,omitempty"`
// Content is raw text/markdown content (kind: text).
Content string `yaml:"content,omitempty"`
// Spec is the component spec file path (kind: component).
Spec string `yaml:"spec,omitempty"`
// Path is the file path to include verbatim (kind: include).
Path string `yaml:"path,omitempty"`
// Source is an optional path to a manifest JSON file (kind: build-contents).
// If omitted, uses the current scope manifest.
Source string `yaml:"source,omitempty"`
// Section is the dot-path into the manifest (kind: build-contents).
// e.g., "inventories.pip", "build.args", "security.sbom"
Section string `yaml:"section,omitempty"`
// Renderer is the rendering format (kind: build-contents).
// Supported: "table", "list", "kv".
Renderer string `yaml:"renderer,omitempty"`
// Columns selects which columns to render (kind: build-contents, renderer: table).
Columns []string `yaml:"columns,omitempty"`
// OutputFile is an optional standalone file output path (kind: build-contents).
// When set, the rendered content is written as a standalone file.
// Can be used alongside placement (section embedding) or alone.
OutputFile string `yaml:"output_file,omitempty"`
// Wrap wraps the rendered output in a container element (kind: build-contents).
// Supported: "details" (wraps in <details>/<summary>).
Wrap string `yaml:"wrap,omitempty"`
// Summary is the summary text when wrap=details (required when wrap is set).
Summary string `yaml:"summary,omitempty"`
// Type is the props resolver type ID (kind: props).
Type string `yaml:"type,omitempty"`
// Params are provider-semantic inputs for the props resolver.
Params map[string]string `yaml:"params,omitempty"`
// Label overrides the auto-derived alt text for props.
Label string `yaml:"label,omitempty"`
// Style is a presentation override for shields.io badge style.
Style string `yaml:"style,omitempty"`
// Logo is a presentation override for shields.io logo name.
Logo string `yaml:"logo,omitempty"`
// CatalogPath is the path to a catalog metadata file (kind: k8s-inventory).
// Optional — provides descriptions, friendly names, graveyard, tier overrides.
CatalogPath string `yaml:"catalog,omitempty"`
// Ref is the badge ID to reference (kind: badge_ref).
// Must match an ID defined in the top-level badges: config.
// Narrator does NOT own badge generation — only composition.
Ref string `yaml:"ref,omitempty"`
}
NarratorItem defines a single composable content item. Each item self-describes its kind and placement.
func (NarratorItem) HasGeneration ¶
func (n NarratorItem) HasGeneration() bool
HasGeneration returns true if this badge item should trigger SVG generation. Requires kind: badge + output set.
func (NarratorItem) ToBadgeSpec ¶
func (n NarratorItem) ToBadgeSpec() BadgeSpec
ToBadgeSpec extracts badge generation fields into a reusable BadgeSpec.
type NarratorPlacement ¶
type NarratorPlacement struct {
// Between is a two-element array: [start_marker, end_marker].
// Content is placed relative to these markers.
Between [2]string `yaml:"between,omitempty"`
// After is a regex/literal line match (reserved for future use).
After string `yaml:"after,omitempty"`
// Before is a regex/literal line match (reserved for future use).
Before string `yaml:"before,omitempty"`
// Heading is a markdown heading match (reserved for future use).
Heading string `yaml:"heading,omitempty"`
// Mode controls how content is placed:
// replace (default), append, prepend, above, below.
Mode string `yaml:"mode,omitempty"`
// Inline renders items side-by-side when true (default: false).
Inline bool `yaml:"inline,omitempty"`
}
NarratorPlacement declares where an item goes in its target file. Exactly one selector must be set (Between is the v2 primary selector).
type NetworkPrunePolicy ¶ added in v0.5.0
type NetworkPrunePolicy struct {
Unused bool `yaml:"unused,omitempty"`
}
NetworkPrunePolicy defines network pruning rules.
type OIDCConfig ¶ added in v0.5.0
type OIDCConfig struct {
Audience string `yaml:"audience"`
}
OIDCConfig defines OIDC authentication for cluster access. Token is resolved from environment variable STAGEFREIGHT_OIDC at runtime.
type PhraseRewrite ¶ added in v0.5.0
PhraseRewrite replaces exact substrings.
type PoliciesConfig ¶
type PoliciesConfig struct {
// GitTags maps policy names to regex patterns for git tag matching.
// e.g., "stable": "^\\d+\\.\\d+\\.\\d+$"
// Named "git_tags" (not "tags") to avoid collision with Docker image tags.
GitTags map[string]string `yaml:"git_tags"`
// Branches maps policy names to regex patterns for branch matching.
// e.g., "main": "^main$"
Branches map[string]string `yaml:"branches"`
}
PoliciesConfig defines named regex patterns for git tag and branch matching. Policy names are referenced by target when conditions (e.g., git_tags: [stable]) and resolved to regex patterns during evaluation.
v2 promotes this from git.policy to a top-level key, reflecting that policies are routing primitives referenced across builds, targets, and releases.
func DefaultPoliciesConfig ¶
func DefaultPoliciesConfig() PoliciesConfig
DefaultPoliciesConfig returns an empty policies config.
type PresentationConfig ¶ added in v0.5.0
type PresentationConfig struct {
Commit CommitPresentation `yaml:"commit"`
Tag TagPresentation `yaml:"tag"`
Release ReleasePresentation `yaml:"release"`
}
PresentationConfig defines surface-specific rendering policies. Same semantic meaning, different editorial treatment per output.
func DefaultPresentationConfig ¶ added in v0.5.0
func DefaultPresentationConfig() PresentationConfig
DefaultPresentationConfig returns sensible defaults.
type ProtectionPolicy ¶ added in v0.5.0
type ProtectionPolicy struct {
Images ImageProtection `yaml:"images,omitempty"`
Volumes VolumeProtection `yaml:"volumes,omitempty"`
}
ProtectionPolicy defines what host objects are never pruned.
type PrunePolicy ¶ added in v0.5.0
type PrunePolicy struct {
Images ImagePrunePolicy `yaml:"images,omitempty"`
BuildCache BuildCachePrunePolicy `yaml:"build_cache,omitempty"`
Containers ContainerPrunePolicy `yaml:"containers,omitempty"`
Networks NetworkPrunePolicy `yaml:"networks,omitempty"`
}
PrunePolicy defines which host objects are eligible for removal.
type PublishOrigin ¶ added in v0.5.0
type PublishOrigin struct {
Kind string `yaml:"kind"` // "primary", "mirror", or "url"
Ref string `yaml:"ref,omitempty"` // mirror ID (kind: mirror only)
Base string `yaml:"base,omitempty"` // explicit URL (kind: url only)
}
PublishOrigin declares where rendered artifacts (badges, etc.) are served from. Three kinds:
- primary: derives raw content URL from sources.primary (the authoritative forge)
- mirror: derives raw content URL from a sources.mirrors[] entry
- url: explicit base URL (CDN, S3, RGW, any static hosting)
Mirrors MUST track the primary branch. The branch used for raw URL construction always comes from sources.primary.default_branch — for both primary and mirror kinds.
type RegexRewrite ¶ added in v0.5.0
RegexRewrite replaces regex matches.
type ReleaseConfig ¶
type ReleaseConfig struct {
Enabled bool `yaml:"enabled"`
Required *bool `yaml:"required,omitempty"` // failure is hard pipeline fail (default: false)
SecuritySummary string `yaml:"security_summary"`
RegistryLinks bool `yaml:"registry_links"`
CatalogLinks bool `yaml:"catalog_links"`
}
ReleaseConfig holds configuration for the release subsystem.
func DefaultReleaseConfig ¶
func DefaultReleaseConfig() ReleaseConfig
DefaultReleaseConfig returns sensible defaults for release management.
func (ReleaseConfig) IsRequired ¶ added in v0.5.0
func (r ReleaseConfig) IsRequired() bool
IsRequired returns whether release failure is a hard pipeline fail. Default: false.
type ReleasePresentation ¶ added in v0.5.0
type ReleasePresentation struct {
MaxEntries int `yaml:"max_entries"`
GroupByType bool `yaml:"group_by_type"`
Style string `yaml:"style"` // concise | explanatory | technical
IncludeReleaseVisibleOnly bool `yaml:"include_release_visible_only"`
}
ReleasePresentation controls release notes rendering.
type RenderConfig ¶ added in v0.5.0
type RenderConfig struct {
EmptyStrategy string `yaml:"empty_strategy"` // prompt | fail | allow_empty
}
RenderConfig controls glossary-level output defaults. Surface-specific max entries live in presentation config.
type RetentionPolicy ¶
type RetentionPolicy struct {
KeepLast int `yaml:"keep_last"` // keep the N most recent tags
KeepDaily int `yaml:"keep_daily"` // keep one per day for the last N days
KeepWeekly int `yaml:"keep_weekly"` // keep one per week for the last N weeks
KeepMonthly int `yaml:"keep_monthly"` // keep one per month for the last N months
KeepYearly int `yaml:"keep_yearly"` // keep one per year for the last N years
Protect []string `yaml:"protect"` // tag patterns that are never deleted (v2)
}
RetentionPolicy defines how many tags/releases to keep using time-bucketed rules. Policies are additive — a tag survives if ANY rule wants to keep it. This mirrors restic's forget policy.
func (RetentionPolicy) Active ¶
func (r RetentionPolicy) Active() bool
Active returns true if any retention rule is configured.
func (*RetentionPolicy) UnmarshalYAML ¶
func (r *RetentionPolicy) UnmarshalYAML(value *yaml.Node) error
UnmarshalYAML implements custom unmarshaling so retention accepts both:
retention: 10 → RetentionPolicy{KeepLast: 10}
retention:
keep_last: 3
keep_daily: 7 → RetentionPolicy{KeepLast: 3, KeepDaily: 7}
type RewriteConfig ¶ added in v0.5.0
type RewriteConfig struct {
Phrases []PhraseRewrite `yaml:"phrases,omitempty"`
Regex []RegexRewrite `yaml:"regex,omitempty"`
}
RewriteConfig defines deterministic text transformations.
type ScannerCacheConfig ¶ added in v0.5.0
type ScannerCacheConfig struct {
MaxSize string `yaml:"max_size,omitempty"` // e.g. "500MB" — full-clear when exceeded
MaxAge string `yaml:"max_age,omitempty"` // e.g. "7d" — full-clear when oldest file exceeds age
}
ScannerCacheConfig is the cache policy for a single scanner. Any field set = persistent cache enabled for this tool. All fields empty = no StageFreight-managed persistence (tool defaults). Eviction is full-clear (opaque DBs, no granular eviction).
type ScannersConfig ¶
type ScannersConfig struct {
Trivy *bool `yaml:"trivy,omitempty"` // run Trivy image scan (default: true)
Grype *bool `yaml:"grype,omitempty"` // run Grype image scan (default: true)
}
ScannersConfig controls which vulnerability scanners are enabled. Both default to true — scanners still require their binary in PATH. Uses *bool so omitting a key preserves the default instead of zeroing it.
func (ScannersConfig) GrypeEnabled ¶
func (s ScannersConfig) GrypeEnabled() bool
GrypeEnabled returns whether Grype scanning is enabled (default: true).
func (ScannersConfig) TrivyEnabled ¶
func (s ScannersConfig) TrivyEnabled() bool
TrivyEnabled returns whether Trivy scanning is enabled (default: true).
type SecurityCacheConfig ¶ added in v0.5.0
type SecurityCacheConfig struct {
Trivy ScannerCacheConfig `yaml:"trivy,omitempty"`
Grype ScannerCacheConfig `yaml:"grype,omitempty"`
}
SecurityCacheConfig controls persistent vuln DB caching per scanner tool. These are opaque tool-managed directories — StageFreight hosts and bounds them, but does not manage their internal structure.
type SecurityConfig ¶
type SecurityConfig struct {
Enabled bool `yaml:"enabled"` // run vulnerability scanning (default: true)
Required *bool `yaml:"required,omitempty"` // failure is hard pipeline fail (default: false)
Scanners ScannersConfig `yaml:"scanners"` // per-scanner toggles
SBOMEnabled bool `yaml:"sbom"` // generate SBOM artifacts (default: true)
FailOnCritical bool `yaml:"fail_on_critical"` // fail the pipeline if critical vulns found
OutputDir string `yaml:"output"` // directory for scan artifacts (default: .stagefreight/security)
// ReleaseDetail is the default detail level for security info in release notes.
// Values: "none", "counts", "detailed", "full" (default: "counts").
ReleaseDetail string `yaml:"release_detail"`
// ReleaseDetailRules are conditional overrides evaluated top-down (first match wins).
// Uses the standard Condition primitive for tag/branch matching with ! negation.
ReleaseDetailRules []DetailRule `yaml:"release_detail_rules"`
// Cache controls persistent vulnerability DB caching per scanner.
// Each tool's max_size triggers full-clear when exceeded (opaque DBs, no granular eviction).
// Empty/omitted per tool = no StageFreight-managed persistence for that tool.
Cache SecurityCacheConfig `yaml:"cache,omitempty"`
// OverwhelmMessage is the message lines shown when >1000 vulns are found.
// Defaults to ["…maybe start here:"] with the OverwhelmLink below.
OverwhelmMessage []string `yaml:"overwhelm_message"`
// OverwhelmLink is an optional URL appended after OverwhelmMessage.
// Defaults to a Psychology Today anxiety page. Empty string disables.
OverwhelmLink string `yaml:"overwhelm_link"`
}
SecurityConfig holds security scanning configuration.
func DefaultSecurityConfig ¶
func DefaultSecurityConfig() SecurityConfig
DefaultSecurityConfig returns sensible defaults for security scanning.
func (SecurityConfig) IsRequired ¶ added in v0.5.0
func (s SecurityConfig) IsRequired() bool
IsRequired returns whether security failure is a hard pipeline fail. Default: false.
type SourceConfig ¶
type SourceConfig struct {
Kind string `yaml:"kind"` // source type (default: "git")
Worktree string `yaml:"worktree"` // path to working tree (default: ".")
URL string `yaml:"url"` // optional: enables deterministic link_base/raw_base derivation
DefaultBranch string `yaml:"default_branch"` // optional: used with URL for raw_base derivation
}
SourceConfig defines the primary (authoritative) build source.
type SourcesConfig ¶
type SourcesConfig struct {
Primary SourceConfig `yaml:"primary"`
Mirrors []MirrorConfig `yaml:"mirrors,omitempty"`
PublishOrigin *PublishOrigin `yaml:"publish_origin,omitempty"`
}
SourcesConfig holds the build source definitions and mirror forge declarations. The primary source is the authoritative forge. Mirrors are strict downstream replicas synchronized outward from the primary. PublishOrigin declares where rendered artifacts are served from.
func DefaultSourcesConfig ¶
func DefaultSourcesConfig() SourcesConfig
DefaultSourcesConfig returns sensible defaults for source configuration.
type SummaryFilter ¶ added in v0.5.0
type SummaryFilter struct {
StripPhrases []string `yaml:"strip_phrases,omitempty"`
StripRegex []string `yaml:"strip_regex,omitempty"`
}
SummaryFilter strips content from commit subjects.
type SyncConfig ¶ added in v0.4.1
type SyncConfig struct {
// Git enables authoritative mirror replication via git push --mirror.
// All refs, branches, tags, deletions, force updates. This is the
// foundation — artifact sync runs only after mirror succeeds.
Git bool `yaml:"git,omitempty"`
// Releases enables forge-native release projection (notes, assets, links).
// Runs after git mirror succeeds. Tag is the identity key.
Releases bool `yaml:"releases,omitempty"`
// Docs enables README/doc file projection via forge commit API.
// Mutually exclusive with Git (docs arrive through git mirror).
// Only valid when Git is false.
Docs bool `yaml:"docs,omitempty"`
}
SyncConfig declares which sync domains an accessory receives. Git mirror is the foundation; artifact projection is subordinate and gated on mirror success for the same accessory.
type TagConfig ¶ added in v0.5.0
type TagConfig struct {
Defaults TagDefaults `yaml:"defaults"`
Message TagMessage `yaml:"message"`
}
TagConfig holds workflow defaults for the tag planner.
func DefaultTagConfig ¶ added in v0.5.0
func DefaultTagConfig() TagConfig
DefaultTagConfig returns sensible defaults.
type TagDefaults ¶ added in v0.5.0
type TagDefaults struct {
Target string `yaml:"target"` // default ref to tag (default: HEAD)
Preview bool `yaml:"preview"` // show preview before creating
RequireApproval bool `yaml:"require_approval"` // require interactive approval
Push bool `yaml:"push"` // push after creation
}
TagDefaults controls default tag planning behavior.
type TagMessage ¶ added in v0.5.0
type TagMessage struct {
Mode string `yaml:"mode"` // auto | prompt_if_missing | require_manual
EmptyStrategy string `yaml:"empty_strategy"` // prompt | fail | allow_empty
}
TagMessage controls tag annotation message behavior.
type TagPresentation ¶ added in v0.5.0
type TagPresentation struct {
MaxEntries int `yaml:"max_entries"`
GroupByType bool `yaml:"group_by_type"`
Style string `yaml:"style"` // concise | explanatory | technical
IncludeReleaseVisibleOnly bool `yaml:"include_release_visible_only"`
CollapseSimilar bool `yaml:"collapse_similar"`
}
TagPresentation controls tag annotation rendering.
type TargetCondition ¶
type TargetCondition struct {
// Branches lists branch filters. Each entry is a policy name or "re:<regex>".
// Empty = no branch filtering.
Branches []string `yaml:"branches,omitempty"`
// GitTags lists git tag filters. Each entry is a policy name or "re:<regex>".
// Empty = no tag filtering.
GitTags []string `yaml:"git_tags,omitempty"`
// Events lists CI event type filters.
// Supported: push, tag, release, schedule, manual, pull_request, merge_request.
// Empty = no event filtering.
Events []string `yaml:"events,omitempty"`
}
TargetCondition defines routing conditions for a target. All non-empty fields must match (AND logic).
type TargetConfig ¶
type TargetConfig struct {
// ID is the unique identifier for this target (logging, status, enable/disable).
ID string `yaml:"id"`
// Kind is the target type. Determines which fields are valid.
Kind string `yaml:"kind"`
// Build references a BuildConfig.ID. Required for kind: registry.
Build string `yaml:"build,omitempty"`
// When specifies routing conditions for this target.
When TargetCondition `yaml:"when,omitempty"`
// SelectTags enables CLI filtering via --select.
SelectTags []string `yaml:"select_tags,omitempty"`
// URL is the registry/forge hostname (kind: registry, docker-readme, release).
URL string `yaml:"url,omitempty"`
// Provider is the vendor type for auth and API behavior.
// Registry: docker, ghcr, gitlab, jfrog, harbor, quay, gitea, generic.
// Release: github, gitlab, gitea.
// If omitted on registry/docker-readme, inferred from URL.
Provider string `yaml:"provider,omitempty"`
// Path is the image path within the registry (kind: registry, docker-readme).
Path string `yaml:"path,omitempty"`
// Credentials is the env var prefix for authentication.
// Resolution: try {PREFIX}_TOKEN first, else {PREFIX}_USER + {PREFIX}_PASS.
Credentials string `yaml:"credentials,omitempty"`
// Description is a short description override (kind: registry, docker-readme).
Description string `yaml:"description,omitempty"`
// Retention controls cleanup of old tags/releases.
// Structured only in v2 (no scalar shorthand).
Retention *RetentionPolicy `yaml:"retention,omitempty"`
// Tags are tag templates resolved against version info (kind: registry).
// e.g., ["{version}", "{major}.{minor}", "latest"]
Tags []string `yaml:"tags,omitempty"`
// NativeScan enables post-push vulnerability scanning via the registry's own built-in scanner.
// Distinct from StageFreight's own scan pipeline (Trivy/Grype run by StageFreight itself).
// Currently supported: Harbor (triggers Harbor's built-in Trivy after each push).
// No-op for Docker Hub, GHCR, Quay, JFrog, and other providers.
// Best-effort — scan failures warn but do not fail the build.
// Push success does not imply scan success; results appear in the registry UI only.
NativeScan bool `yaml:"native_scan,omitempty"`
// File is the path to the README file (kind: docker-readme).
File string `yaml:"file,omitempty"`
// LinkBase is the base URL for relative link rewriting (kind: docker-readme).
LinkBase string `yaml:"link_base,omitempty"`
// SpecFiles lists component spec file paths (kind: gitlab-component).
SpecFiles []string `yaml:"spec_files,omitempty"`
// Catalog enables GitLab Catalog registration (kind: gitlab-component).
Catalog bool `yaml:"catalog,omitempty"`
// Aliases are rolling git tag aliases (kind: release).
// e.g., ["{version}", "{major}.{minor}", "latest"]
// Named "aliases" to avoid collision with Tags (image tags) and git_tags (policy filters).
Aliases []string `yaml:"aliases,omitempty"`
// ProjectID is the "owner/repo" or numeric ID for remote forge targets (kind: release).
ProjectID string `yaml:"project_id,omitempty"`
// SyncRelease syncs release notes + tags to a remote forge (kind: release, remote only).
SyncRelease bool `yaml:"sync_release,omitempty"`
// SyncAssets syncs scan artifacts to a remote forge (kind: release, remote only).
SyncAssets bool `yaml:"sync_assets,omitempty"`
// Archives references a binary-archive target ID (kind: release only).
Archives string `yaml:"archives,omitempty"`
// BinaryName overrides the binary name inside the archive (kind: binary-archive).
// Auto-detected from referenced build if omitted.
BinaryName string `yaml:"binary_name,omitempty"`
// Format is the archive format: "tar.gz", "zip", or "auto" (kind: binary-archive).
// "auto" picks zip for windows, tar.gz for everything else. Default: "auto".
Format string `yaml:"format,omitempty"`
// Name is the archive filename template (kind: binary-archive).
// Supports: {id}, {version}, {os}, {arch}. e.g., "{id}-{version}-{os}-{arch}".
Name string `yaml:"name,omitempty"`
// Include lists extra files to bundle into the archive (kind: binary-archive).
// e.g., ["README.md", "LICENSE"]
Include []string `yaml:"include,omitempty"`
// Checksums generates a SHA256SUMS file alongside archives (kind: binary-archive).
Checksums bool `yaml:"checksums,omitempty"`
}
TargetConfig defines a distribution target or side-effect. Each target has a unique ID and a kind that determines which fields are valid.
This is a discriminated union keyed by Kind. Only fields relevant to the kind should be set — validated at load time.
Target kinds:
- registry: Push image tags to a container registry (requires build reference)
- docker-readme: Sync README to a container registry (standalone)
- gitlab-component: Publish to GitLab CI component catalog (standalone)
- release: Create forge release + rolling git tags (standalone)
func (TargetConfig) IsRemoteRelease ¶
func (t TargetConfig) IsRemoteRelease() bool
IsRemoteRelease returns true if this release target has all remote forge fields set.
type TrailerFilter ¶ added in v0.5.0
type TrailerFilter struct {
StripKeys []string `yaml:"strip_keys,omitempty"`
}
TrailerFilter strips commit trailers/footers.
type VolumeProtection ¶ added in v0.5.0
type VolumeProtection struct {
Named *bool `yaml:"named,omitempty"` // protect all named volumes
}
VolumeProtection defines which volumes are protected from pruning.
Source Files
¶
- badge.go
- build.go
- buildcache.go
- commit.go
- conditions.go
- config.go
- dependency.go
- docker.go
- docker_lifecycle.go
- docs.go
- gitops.go
- glossary.go
- lifecycle.go
- lint.go
- manifest.go
- match.go
- migrate.go
- narrator.go
- normalize.go
- policies.go
- presentation.go
- release.go
- retention.go
- security.go
- sources.go
- tag.go
- target.go
- units.go
- validate.go